In the operation of public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore should not be relied upon. The list enumerates revoked certificates along with the reason(s) for revocation which are available before their scheduled expiration date. When any certificate is issued, it has a validity period which is defined by the Certification Authority. In addition, each list contains a proposed date for the next release.
When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user. There are several reasons why a certificate might need to be revoked and placed on a CRL. For instance, the key specified in the certificate might have been compromised or the user specified in the certificate may no longer have authority to use the key. CRLs only list current certificates, since expired certificates should not be accepted in any case: when a revoked certificate’s expiration date occurs, that certificate can be removed from the CRL. Normally, there are two ways to distribute CRLs: in the “pull” model, verifiers download the CRL from the certification authority (CA), as needed and in the “push” model, the CA sends the CRL to the verifiers at regular intervals.
The main limitation of CRL is the fact that updates must be frequently downloaded to keep the list current.
Although CRLs are maintained in a distributed manner, there may be many storages for CRLs, such as, network sites containing the latest CRLs from many organizations. So, becomes rather urgent to regular audits/monitoring of CRLs validity.
Obviously, the simplest and sufficient in most cases way to check validity of CRLs is to test for CRLs accessibility and expiration of update date in the CRLs. Thus, it can be say that CRL is validity in case if CRL is accessible and the updated date (pointed in the CRL) isn’t expired (exceed current date).
The Monitis CRLs monitor provides the mentioned above logic to periodically checking of the validity of CRLs. The monitor is based on Monitis Custom Monitors concept and uses the Monitis API to cooperate with Monitis dashboard where user anytime can see the results of monitoring. The tuning of monitor is provided by config file where specified the URL where located the CRL. Monitor checks the accessibility of CRL and if it accessible, downloads and parses it having a goal to get next update date. Parsing is based on X.509 standard and checks validity only by checking the next update date. This procedure is provided periodically according definition in the config file. For example, we had tested the URL http://public.wisekey.com/crl/ that contains few CRLs. The Monitis Monitor checked all existing there CRLs and put the corresponding info into Monitis. Once dashboard is received this info the corresponding table will be shown. Note that user can filter the measurement list by interesting CRL and look through the monitor results.
To get CRL monitor please go to GitHub.